Multi-level hierarchy based permission in SuiteCRM
SuiteCRM, extended from community edition of SugarCRM, is a fully customisable feature rich CRM solution. And one of the feature that makes it enterprise ready, is its ability to provides a neat way to apply permissions for users. You can refer to the SuiteCRM security suite documentation here.
However, the example given in the documentation explains how security suite can work with 3 level of hierarchy. But often in enterprise level organization, 3 level of hierarchy may not be enough. I am writing this post to explain in particular how security suite can be configured in case you need more than 3 level of hierarchy. I am also assuming that you have already gone through the SuiteCRM security documentation and have a fair understanding of how permissions work in there. So I’ll jump straight on to how to configure for multi hierarchy.
Let’s take an example of an organization which has sales representatives in localities, and there is city head who manages these sales reps. For city heads, there is a state head and for all state heads there is a country head. Country head should be able to see all the leads, state head should be able to see all the leads for cities he is managing and so on. Locality sales representatives should be able to access their own leads only. Furhter, lets take cities Mumbai and Pune which belongs to state Maharashtra and cities Bangalore, Mysore which belongs to state Karnataka.
Se we need to create following security groups :
Bangalore city
Mysore city
Mumbai city
Pune city
Karnataka state
Maharashtra state
India country
And lets create following roles :
Owner Only for owner access to records.
Group Only for group access to records.
All the locality sales representatives need to be associated with “Owner only” ole as they need to access records assigned to them only. And everyone else should be associated to “Group only” role. Also, sales reps should be tagged to their respective city groups. Since they have owner only permission, they will not able to see the records available for the group. City heads to be tagged to their respective city groups. State heads to be tagged with respective city group and state group. And country head will be part of all city, state and country group (India country for our example).
By default, while creating a record, it will inherit all the groups associated with the creator or to whom its assigned. Which means if a sales rep is creating a lead, that leads will get linked to the city group he is associated with, which is how city head will be able to access these leads. Similarly, when city head creates a lead for himself, it will tagged to city group. But what happens when Karnataka head creates a lead for himself. Since he is part of groups Karnataka state, Bangalore city, Mysore city, lead created will get tagged to all these groups and since all the city managers have group permissions and are part of respective city group, they’ll be able to see this record, which is not what we intend to do. City heads should not be able to view state heads leads, only country head should be able to do so.
There is an option in SuiteCRM at user group level to define which all groups should be tagged while creating a record by specific user. So we will un-check all the groups except “Karnataka group”. Now when he creates a lead, it will be tagged only to Karnataka group and hence will be accessible only to country head.
Below is the screenshot for India’s head user. India is marked as Primary Group and Karnataka and Maharashatra are marked as Not Inheritable. Now when India head tries to create a lead, it by default will be associated with India group only.
